Keybase

Discussion in 'privacy general' started by mirimir, Jan 8, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I recently learned of https://keybase.io/ from http://lists.gnupg.org/mailman/listinfo/gnupg-users . It's also at http://fncuwbiisyh6ak3i.onion .
    It's arguably an enhanced keyserver, which aggregates authenticated crosslinking of a user's public GnuPG key to their social media username(s).

    So I've signed up: https://keybase.io/mirimir :)

    For Redit, there's this:
    Code:
    Keybase proof
    
    I hereby claim:
    
      I am mirimira on reddit.
      I am mirimir on keybase.
      I have a public key whose fingerprint is BF24 D19E 7B33 536E 7512 BA47 620D 6551 17C2 E43E
    
    To claim this, I am signing this object:
    
    {
      "body": {
      "key": {
      "fingerprint": "bf24d19e7b33536e7512ba47620d655117c2e43e",
      "host": "keybase.io",
      "key_id": "620d655117c2e43e",
      "kid": "01018e5fe4f021b63e55c393384530c7c9250a582fc535308e4847a4093b4fa6ce520a",
      "uid": "c742d95ac1be1182a82661330540aa00",
      "username": "mirimir"
      },
      "service": {
      "name": "reddit",
      "username": "mirimira"
      },
      "type": "web_service_binding",
      "version": 1
      },
      "ctime": 1420677929,
      "expire_in": 157680000,
      "prev": "49d2842ae0aab85efe1e6879e010dcabf3e0ab06c6c2e3f6f0a288b12fe0f55a",
      "seqno": 2,
      "tag": "signature"
    }
    
    with the PGP key referenced above, yielding the PGP signature:
    
    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.11 (GNU/Linux)
    
    owFtUl1IFFEY3TWTFIz0RaHwYTIkWuveO3PnZ1FLFCJJUojARJY7M9+sg7i7za7m
    T0sPplFSFGJqZKVRIWFSFj2ISv6gIEXlkxVFIkQqqJGPRXfE3rpwudzznXM4HL4b
    qTs8CV49FcozJpYKvHOvNd1zenC+uFnQw2aj4G8WamDrsexQEJyIY4digl/QLSKZ
    WANFF0UqyqBQTHQmKTJBpkwpxopBQBJB8AnV4air4DY6i8JhO8wx/gnYJkf/w6/Z
    GiCMsArUAslCBOuyCJQaoiaKqkRFZCiGRihiVCWWQXkCpIKkSgqTkCbqksVkAyhB
    jNvVbdkZikRMjTID64CxSphKZBmLIqISYgwhlxgFJ8RqgbNrbcfmV4j7BA7W2wa4
    DWwPHTBNO/ZfAXMVscaIC50HPbAtDuh2yOT1cU09OFE7HBL8mDONmO2qsUSQrCga
    0XwCNERsBwK2y6CKrCJ+fELEgXpuKWkmUSXCgEfWVQoWYJBVRQNelmkw3RL5REey
    IfMyRUu2ECOqqmNiAbIodduIwrlQWPATHpMFuWXUDoZYrM4BIZ5yxbsv0eNN8CTt
    THA3wJOSvOffXnS37PLcwuhiuvFzbaa2ryQ3v+ONcH6kNOve73c/nj++cOjY9NH0
    eLwIoOV+/GTW5PRK08j4YNbttM6K5jvVQU9V4sZo9EBBMHuhPzntc/bejEjrh9SF
    7m8bvWOFsz2N5SVl7QM5z4Y/NA0NLniTjhcM+2ZLQp2PMmcCLYHK1f11p4p6+r8X
    ji2NV71/sYh25OePN6zcXUmsaf/25xosNwXWLq2Xje+eaJx6kDfzcmFzfsRLI/m4
    cqy37HLn6nJh2+a6f104koJzwjcHMnJHWy/I17WHNa9KJ9t+PaF5v86ac13STNdi
    d9+Z4i8fN66+/3oi8+lq59uDUxUdZOhTb6y+1Rn6Cw==
    =YuC+
    -----END PGP MESSAGE-----
    
    Finally, I am proving my reddit account by posting it in KeybaseProofs.
    https://www.reddit.com/r/KeybasePro...ybase_proof_redditmirimira_keybasemirimir_dm/

    The same could be done for any online account.

    But there's this scary-sounding feature called "tracking" :eek:

    It's not about the NSA tracking us. It's about our friends watching our backs, and jointly checking that those we care about haven't had their accounts compromised:
    https://keybase.io/docs/tracking

    Still, the NSA could be one of our trackers :oops:

    But as long as I only link Mirimir's accounts, is there anything that I need to hide from anyone?
     
    Last edited: Jan 8, 2015
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Thanks, I had a quick look at this and thought it was a sensible idea, particularly because it allowed for more attested keys (and less of the abandoned dross). I don't think the tracking implies any exposure. What the system does cry out to me is: use strong authentication for your social media accounts! Because they provide your attestation of the info on the keybase.

    I wanted to understand their governance better, but in a way, it's got to be better than CAs! And I don't think they're asking for too much trust - you can trust the results as much as you want, and at least it's linked to some other "public" thing, which you can check independently.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    It's linked to multiple public things. And many independent followers can maintain histories of signed snapshots. From https://keybase.io/docs/tracking :
    What I don't see is how maria's friends (aka trackers) compare snapshots.

    I guess that I'll just start tracking someone, and see what shows up :)
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I forgot to mention a key (ha ha) issue:
    http://www.wired.com/2014/04/keybase/

    I wonder how many people trust Keybase that much. Not me :)
     
  5. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    So basically to protect against account compromise or even impersonation, right? That's something that I've been wondering about how to protect against too. The only downsides I can see are if someone instead prefers different aliases per account per site- protection against stalkers or people looking to profile you and who you associate with. Of course it's always risks/benefits.

    Pretty neat though. Probably might do it. :thumb:

    edit

    I'd also add that the founders are from OkCupid, so it could be another social media account type vibe. Again, this isn't a big thing for those that use the same screennames for multiple public sites in which there's no risk any of the accounts could tip off personal identification or information not want out there. In some respects, I think it could make it easier for an attacker to profile a person through Keybase than a search engine lookup of their username.

    But again, that's dependent on the person- it's not a fault of Keybase. Obviously no software or site can protect a user from what they publicly put out there. Just a person might consider a fresh account handle if they have any doubts.
     
    Last edited: Jan 9, 2015
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I gather that the key goal is verifiable identity. For someone like Mirimir, maybe that doesn't matter so much (except to me, anyway). But for Patrick Schleizer aka adrelanos < https://keybase.io/adrelanos > it may be good to know that you're actually communicating with the person who signs Whonix releases. He has four accounts linked, plus the email address in his GnuPG key. An adversary would need to compromise all of them in order to effectively impersonate him. And as more other Keybase users track him, multiple independent histories develop.
    Well, I suppose that it is that. But it's also a way to make GnuPG encryption far easier to use. And Keybase is not just a website. It's an API.
    The answer there is compartmentalization. It's fine to use the same account names for multiple sites, as long as it's done with intention. For example, there is absolutely nothing out there that links Mirimir to my true name. I have other identities. Some are more linked to my true name, and some are even less linked. Sometimes I'm as anonymous as Tor can make me. It all depends on what I'm up to.
    Yes, the danger with Keybase is that people will end up linking stuff that they really shouldn't have. But that doesn't make Keybase a bad idea. We need better OPSEC education :)
    True. And even though it's hard to walk away from an old online identity, sometimes it's all for the best :)
     
  7. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Exactly what I'm getting at. :thumb:
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Nor me - giving them private keys seems a completely unnecessary thing to do, it needs to be on the client, that's what Apis are for.

    Agree with the comments about compartmentalisation of personas, but linking via Keybase only highlights the needs for consistency and planning - and in any case, there are many other potential leak mechanisms and ways the cloud is linking identities. Perhaps it would actually get people to think a little more closely about Opsec rather than relying on security through obscurity.
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Most internet surfers would NOT even know what Opsec stood for! For me, nobody gets private keys because then I lose control.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    That's true. But there's also the requirement for consistency among all of the social media accounts that you claim. So the whole is far stronger than any single account.
    Yes, it's really an API. The website is just a canonical example for using the API. As they develop it further, there will be automatic cross-checking of historical claim-web snapshots from all users tracking (following, auditing, etc) a given user. So with time, a persona (which can be arbitrarily strongly pseudonymous) can establish an Internet-wide identity which is verified by consensus, and is not dependent on any particular third party. That's very useful for activists and freelances of all sorts (writers, software developers, consultants, etc). It could also replace the CA morass.

    By the way, I have a few invites to Keybase that bypass the wait list. If interested, just PM me with an email address. And be very careful to think it through, and avoid linking stuff that you don't really want to. In particular, you'd be linking the account to an invitation from Mirimir :eek:
     
    Last edited: Jan 9, 2015
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Thanks - and would that be quickly followed by a knock on the door?! :isay:

    I'm also thinking about how this kind of concept could be extended to other forms of certificates, keys, secrets and so on - I have too many, from schemes other than PGP. It would be neat to be able to publish public keys or public hashes for these in the same way, because they'd all similarly benefit for this kind of attestation and history. X.509 public certs (server and code signing), and code hashes come to mind.
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Just don't point them at a door ;)
    In order to claim a GnuPG key, you upload the public key to Keybase. Then you run some code that scrapes your public key from Keybase, signs it with your private key, and then uploads the result to Keybase. Once Keybase verifies the signature, it knows that you own said GnuPG key. Just having a self signed public key from some keyserver doesn't suffice, because you can't do the signing on demand. There's probably a salt involved, now that I think of it.

    One could presumably do the same with any cert, hash or even arbitrary string. You'd upload it to Keybase, and do the same scrape, GnuPG sign and upload process as for GnuPG keys. But there's no code for that yet. You could make a feature request on their GitHub.